Topic: Spring Security 三 与 CAS单点登录配置-Client
Topic: Spring Security 3 与 CAS单点登录配置-Client转载:?http://www.hxdw.com/bbs/post/print?bid60&i
Topic: Spring Security 3 与 CAS单点登录配置-Client
转载:
?
http://www.hxdw.com/bbs/post/print?bid=60&id=144183
Topic: Spring Security 3 与 CAS单点登录配置-Client
1.Spring Security 3 与 CAS单点登录配置-ClientCopy to clipboardPosted by:?netboy
Posted on:?2010-11-12 11:27
<intercept-url pattern="/manage/**" access="ROLE_ADMIN" />?
<intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" />?
<!-- logout-success-url="/login.html" -->?
<logout logout-url="/logout.html" success-handler-ref="casLogoutSuccessHandler"/>?
<custom-filter position="FORM_LOGIN_FILTER" ref="casFilter"/>?
</http>?
??<http auto-config="false" entry-point-ref="casEntryPoint" servlet-api-provision="true">
????<intercept-url pattern="/manage/**" access="ROLE_ADMIN" />
????<intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" />
????<!-- logout-success-url="/login.html" -->
????<logout logout-url="/logout.html" success-handler-ref="casLogoutSuccessHandler"/>
????<custom-filter position="FORM_LOGIN_FILTER" ref="casFilter"/>
??</http>
这里,重点是:?
* 不使用http的自动配置。?
* entry-point-ref="casEntryPoint"作用是认证的入口,是一个实现 AuthenticationEntryPoint接口的类。为ExceptionTranslationFilter类提供认证依据。?
* <custom-filter position="FORM_LOGIN_FILTER" ref="casFilter"/> 使用自定义的Filter,放置在过滤器链的FORM_LOGIN_FILTER的位置。?
似乎casFilter与casEntryPoint的功能有重叠。?
其实,casEntryPoint只是提供认证入口的作用,当没有权限,将跳转到该地址。?
casFilter是处理CAS service ticket的。当无权访问时,会使用casEntryPoint提供认证入口。?
2.分别配置casEntryPoint和casFilter?
配置:casEntryPoint?
Xml代码?
<beans:bean id="casEntryPoint"?
value="https://cas.boc.com:8443/casServer/login"/>?
<beans:property name="serviceProperties" ref="serviceProperties"/>?
</beans:bean>?
<beans:bean id="serviceProperties" value="false"/>?
</beans:bean>?
<beans:bean id="casEntryPoint"
??value="https://cas.boc.com:8443/casServer/login"/>
??<beans:property name="serviceProperties" ref="serviceProperties"/>
</beans:bean>
<beans:bean id="serviceProperties" value="false"/>
</beans:bean>
配置casFilter?
Xml代码?
<beans:bean id="casFilter"?
ref="authenticationManager"/>?
</beans:bean>?
<authentication-manager alias="authenticationManager">?
<authentication-provider ref="casAuthenticationProvider"/>?
</authentication-manager>?
<beans:bean id="userDetailsService" >?
<beans:ref local="userDetailsService"/>?
</beans:property>?
</beans:bean>?
<beans:bean id="casAuthenticationProvider"?
ref="casAuthenticationUserDetailsService"/>?
<beans:property name="serviceProperties" ref="serviceProperties" />?
<beans:property name="ticketValidator">?
<beans:bean value="https://cas.boc.com:8443/casServer" />?
</beans:bean>?
</beans:property>?
<beans:property name="key" value="an_id_for_this_auth_provider_only"/>?
</beans:bean>?
</beans:bean>?
<beans:bean id="casFilter"
??????ref="authenticationManager"/>
??</beans:bean>
??
??<authentication-manager alias="authenticationManager">
????<authentication-provider ref="casAuthenticationProvider"/>
??</authentication-manager>
??
??<beans:bean id="userDetailsService" >
??????<beans:ref local="userDetailsService"/>
????</beans:property>
??</beans:bean>
??<beans:bean id="casAuthenticationProvider"
??????ref="casAuthenticationUserDetailsService"/>
????<beans:property name="serviceProperties" ref="serviceProperties" />
????<beans:property name="ticketValidator">
??????<beans:bean value="https://cas.boc.com:8443/casServer" />
?? </beans:bean>
????</beans:property>
????<beans:property name="key" value="an_id_for_this_auth_provider_only"/>
??</beans:bean>
</beans:bean>
如果对Spring Security比较熟悉,就不用多说什么了。?
这里的"https://report.boc.com:8443/report/j_spring_cas_security_check"地址要注意,以后这个地址要注册到CAS service里,从而改变CAS的"open model".?
也只有这个地址是指向Client的,其他都指向Server?
最后,casLogoutSuccessHandler?
如果Client要注销,需在Client先注销,之后让Server注销提供的ticket。?
如果不这样,不论是只注销Client还是Server,注销后,系统仍然还是可以访问的。?
(按照开始的想法,注销Client,Client应该可以主动去Server去注销ticket,但是org.springframework.security.web.authentication.logout.LogoutFilter总注销自己,而不去跟Client交互。如果你知道的话,请告知。)?
CasLogoutSuccessHandler 代码?
Java代码?
package net.viiso.security.util;?
import java.io.IOException;?
import javax.servlet.ServletException;?
import javax.servlet.http.HttpServletRequest;?
import javax.servlet.http.HttpServletResponse;?
import org.springframework.security.core.Authentication;?
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;?
public class CasLogoutSuccessHandler implements LogoutSuccessHandler {?
private String url = "";?
@Override?
public void onLogoutSuccess(HttpServletRequest request,?
HttpServletResponse response, Authentication authentication)?
throws IOException, ServletException {?
if ("".equals(url)) {?
url = "https://cas.boc.com:8443/casServer/logout";?
}?
response.sendRedirect(url);?
}?
public void setTargetUrl(String url) {?
this.url = url;?
}?
}?
package net.viiso.security.util;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
public class CasLogoutSuccessHandler implements LogoutSuccessHandler {
??private String url = "";
??@Override
??public void onLogoutSuccess(HttpServletRequest request,
??????HttpServletResponse response, Authentication authentication)
??????throws IOException, ServletException {
????if ("".equals(url)) {
??????url = "https://cas.boc.com:8443/casServer/logout";
????}
????response.sendRedirect(url);
??}
??public void setTargetUrl(String url) {
????this.url = url;
??}
}
启动后,对一个安全地址进行访问,会跳到CAS登录地址。?
如果登录成功,会跳至访问页。?
到此,简单的Client已经配置完成。?
接下来,还要在Server注册Client。这个虽然不是必须,但是出于安全考虑,如果CAS服务器在外网,就非常有必要对支持的Client进行注册了,因为当你访问Client在CAS登陆成功后,CAS会给你的Client提供登录者的用户信息。如果你模拟一个Client应用,使用暴力方式,不断给CAS提供用户口令和密码,会对安全性造成破坏。?
另外,也可以给CAS登录页加一个验证码。
?
